Analysis
-
max time kernel
192s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2022 17:17
Static task
static1
Behavioral task
behavioral1
Sample
Purchase order 781830171.exe
Resource
win7-20220901-en
General
-
Target
Purchase order 781830171.exe
-
Size
602KB
-
MD5
94a7ae060dd2244f3e523ef87ac573d5
-
SHA1
6da1cf7a0e4a708e6c986a810cbe87ac73bbf5e1
-
SHA256
0d65bd3f562fa127be5f009203fed5b0da090648f61d10d03ded5c89228e3766
-
SHA512
b079719fc7064d9137b53e078e331a19cf0805fec42a68e2c625af3eea95f0cd6aca84bbf75c46892fe03d35d0b186bd118a3821b77a748eadb663e1e2232f5b
-
SSDEEP
12288:zsBbFXMFRCMxYTri4ZzEouFxSdBTM09Zq8SblZuuNwApnkGngLr8z6:4jXMbhmT24yoW07q88lZuEnrngLrr
Malware Config
Extracted
formbook
yurm
X06d1tis1GUX/R0g87Ud
BKiZ33D1P766GVXO1ZwV
lAFdjB7CSxGX8Trz
Gc7dWizTVxWX8Trz
tDkr9JAfi1OHAW1PGOageIp4
bCpMtHKU3mVp8BY5sQ==
7WKpsMWt8nsrhJClJeOZNg==
0A9KTlETQ86Cmd8k0o5NP5RwCg==
aJ61paNJztSp42c=
CrgoA8ySIOsytCbO1ZwV
i46SnHYDD9tTIHI=
XFRCRCjtFZeU3x4Rn3xfD5BnPz+RDA==
c4CZghuHvzW9A31gEz0d
QAjzz9qyRRWBNYseAI4M
Jpbmu4A1YvBvN3ruZgiRmJA5BCFd
PfoFXGNFhhuX8Trz
bqCfk0m8ApAl+Tm1Ms5Tb23IT7tS
z7INff7HNALxc5HWq2/ftrVR6A7R1zvTUQ==
m7IShV4LSFxbqxhrVsZ1Ig==
BHRp7q0gtoRuqBRnVsZ1Ig==
SnqEhE/pEKitAVYv+MtfgDwL1EuxZyihRg==
1xpDKRHJ7K/tqQzEfaJvDIeRWI5DZyihRg==
tAQpBfGi8mppxC4LbDQNI945BCFd
nk5kz8aKDecavxHOYeugeIp4
wPYvLS3zK8FvdJFbQVY=
WAATk07VS0xU9Dvx
KdwXaxSYC9G8DG2tUOBR/X3wtEM=
EPQVcwx5eXw9i/E3B9tpP5RwCg==
MN0FmlPPDZiu5zVpA58wA0Q/5F4=
797QsL+c/saMxtZeQFQ=
TISijiWfydvQFQ==
ama7D8Ntnxsr9Gg=
PcnRSFMPjGFm8BY5sQ==
npSIXvRrsj25h91pUHZGbX3wtEM=
0CAJglT6dkKyhZFbQVY=
kL69pLud0pT4Am0=
sG1JDgXWXydt/VHO1ZwV
zxVdYWYhqoHvrt5W2G7a5PL71zEyHIIx
i0Zm9MhPh/vvI3ycVsZ1Ig==
kjRJqKB3nRgihH2kM0E=
/s4LgD5dmCtOBCkprA==
I278sNm5/o/FX2dZBAKYKg==
eP/5flDtVw2X8Trz
Ik9oUEj8hFO6eeK1gJg/xkILDkwPAw==
QIS5jUjlUhtr/VHO1ZwV
RcC5QQyGv0mFC2BnT3igeIp4
NL7LMCoKT93dJWVTHJgywToxAg==
yzhyPgzSYDGthZFbQVY=
PqmV5ObKBpvKUJZYcGg05HtiCA==
/W9bsq7IsDuC
T8LMKrI2jA8BQ4yQVsZ1Ig==
eHof90VMPMXQDQ==
8TSLglnyajdx/VDO1ZwV
ZQYihA2I+rn4g7eQVsZ1Ig==
JCmxphUQ06is5Gc=
H2C6sYYiZPAxoxNnVsZ1Ig==
5NxIrpR6DM2Jd5FbQVY=
vDCXqaJj6Pw2EXA=
CBI+Gdh67Pw2EXA=
zxoDhkPEDpTET7a6Os0tj1BpDBfmYgo=
neEtD8Y0YN7fMV7O1ZwV
W+BPJ/S6QhmScpFbQVY=
iAZaRHA3ZgUpsQvRiZ5XP5RwCg==
CQtXS8LIsDuC
absbox.org
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4440 wlljbvbd.exe 4280 wlljbvbd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation wlljbvbd.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lpwvhpjmpint = "C:\\Users\\Admin\\AppData\\Roaming\\rmtdioxgullb\\jupjwwutq.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\wlljbvbd.exe\" \"C:\\Users\\Admin\\AppData" wlljbvbd.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4440 set thread context of 4280 4440 wlljbvbd.exe 84 PID 4280 set thread context of 512 4280 wlljbvbd.exe 30 PID 3352 set thread context of 512 3352 colorcpl.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \Registry\User\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 colorcpl.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 4280 wlljbvbd.exe 4280 wlljbvbd.exe 4280 wlljbvbd.exe 4280 wlljbvbd.exe 4280 wlljbvbd.exe 4280 wlljbvbd.exe 4280 wlljbvbd.exe 4280 wlljbvbd.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 512 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
pid Process 4440 wlljbvbd.exe 4440 wlljbvbd.exe 4280 wlljbvbd.exe 4280 wlljbvbd.exe 4280 wlljbvbd.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe 3352 colorcpl.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4280 wlljbvbd.exe Token: SeDebugPrivilege 3352 colorcpl.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4440 wlljbvbd.exe 4440 wlljbvbd.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 4440 wlljbvbd.exe 4440 wlljbvbd.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 968 wrote to memory of 4440 968 Purchase order 781830171.exe 83 PID 968 wrote to memory of 4440 968 Purchase order 781830171.exe 83 PID 968 wrote to memory of 4440 968 Purchase order 781830171.exe 83 PID 4440 wrote to memory of 4280 4440 wlljbvbd.exe 84 PID 4440 wrote to memory of 4280 4440 wlljbvbd.exe 84 PID 4440 wrote to memory of 4280 4440 wlljbvbd.exe 84 PID 4440 wrote to memory of 4280 4440 wlljbvbd.exe 84 PID 512 wrote to memory of 3352 512 Explorer.EXE 85 PID 512 wrote to memory of 3352 512 Explorer.EXE 85 PID 512 wrote to memory of 3352 512 Explorer.EXE 85 PID 3352 wrote to memory of 4692 3352 colorcpl.exe 86 PID 3352 wrote to memory of 4692 3352 colorcpl.exe 86 PID 3352 wrote to memory of 4692 3352 colorcpl.exe 86
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Users\Admin\AppData\Local\Temp\Purchase order 781830171.exe"C:\Users\Admin\AppData\Local\Temp\Purchase order 781830171.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Users\Admin\AppData\Local\Temp\wlljbvbd.exe"C:\Users\Admin\AppData\Local\Temp\wlljbvbd.exe" "C:\Users\Admin\AppData\Local\Temp\vikaf.au3"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\wlljbvbd.exe"C:\Users\Admin\AppData\Local\Temp\wlljbvbd.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4280
-
-
-
-
C:\Windows\SysWOW64\colorcpl.exe"C:\Windows\SysWOW64\colorcpl.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Program Files\Mozilla Firefox\Firefox.exe"C:\Program Files\Mozilla Firefox\Firefox.exe"3⤵PID:4692
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
88KB
MD567dca33ac008f0e2ac4b9d15feaf3a29
SHA1d641f638dd1cb298b9051993b59fef4d7957cf89
SHA256ba0d7c863884b26cc510fbc2da2cefb70f5fa9454906873e9bcfab35fab48271
SHA512860a1c2fdd9bc6e8b1998c7eb9b934ee3b04f435596637aa4c9994623b34fef96cc0a87e5cf7ccc7c1e9c97abf3c3c35cec7f1d937dcd3dfb47f064bb4647909
-
Filesize
185KB
MD5ab2fa9b3dcdfd2161b851d99d52723d4
SHA1934665b0033865165cc46989b66f753c81df54d3
SHA25681c13b87579bcd37a0875d6eaf4369c9a762fb5a1bc180b498a5457587334b22
SHA5122a520d53722a9d6135a3cf2b38a73e48e92916b5f5623ddf803df467403a44801922b1d5dd35e4b80edc4507a3eadaafadef82c3455aa5891a99d48ae8f02de4
-
Filesize
6KB
MD5866534baecedd53196af71713c36b65e
SHA1d05b9466d481ca8d3be3a190b85af494fccd9406
SHA256e772631fbcae9b3d339a9556899a5d44194ab2acdb061cb081514e94c92c18e6
SHA5126947781c62d388da05e02621fa8696547f8bbaae3e1168afbaf1e9114c42c254f1344a3ad746357c6c98e191495291724ba1c09c987d43b83b8514d5c33f5ae6
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c